[PATCH v2] ieee1275: prevent buffer over-read

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2] ieee1275: prevent buffer over-read

From:	Eric Snowberg
Subject:	[PATCH v2] ieee1275: prevent buffer over-read
Date:	Mon, 15 Feb 2016 10:53:45 -0800

Prevent buffer over-read in grub_machine_mmap_iterate. This was
causing phys_base from being calculated properly. This then
caused the wrong value to be placed in ramdisk_image within
struct linux_hdrs. Which prevented the ramdisk from loading on
boot.

Newer SPARC systems contain more than 8 available memory entries.

For example on a T5-8 with 2TB of memory, the memory layout could
look like this:

T5-8 Memory
reg                      00000000 30000000 0000003f b0000000
                         00000800 00000000 00000040 00000000
                         00001000 00000000 00000040 00000000
                         00001800 00000000 00000040 00000000
                         00002000 00000000 00000040 00000000
                         00002800 00000000 00000040 00000000
                         00003000 00000000 00000040 00000000
                         00003800 00000000 00000040 00000000
available                00003800 00000000 0000003f ffcae000
                         00003000 00000000 00000040 00000000
                         00002800 00000000 00000040 00000000
                         00002000 00000000 00000040 00000000
                         00001800 00000000 00000040 00000000
                         00001000 00000000 00000040 00000000
                         00000800 00000000 00000040 00000000
                         00000000 70000000 0000003f 70000000
                         00000000 6eef8000 00000000 00002000
                         00000000 30400000 00000000 3eaf6000
name                     memory

Signed-off-by: Eric Snowberg <address@hidden>
---
 grub-core/kern/ieee1275/mmap.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/grub-core/kern/ieee1275/mmap.c b/grub-core/kern/ieee1275/mmap.c
index 911bb00..d7f6a1b 100644
--- a/grub-core/kern/ieee1275/mmap.c
+++ b/grub-core/kern/ieee1275/mmap.c
@@ -25,7 +25,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void 
*hook_data)
 {
   grub_ieee1275_phandle_t root;
   grub_ieee1275_phandle_t memory;
-  grub_uint32_t available[32];
+  grub_uint32_t available[128];
   grub_ssize_t available_size;
   grub_uint32_t address_cells = 1;
   grub_uint32_t size_cells = 1;
@@ -49,6 +49,9 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void 
*hook_data)
                                          sizeof available, &available_size))
     return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
                       "couldn't examine /memory/available property");
+  if (available_size > sizeof (available))
+    return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
+                       "/memory response buffer exceeded");
 
   if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
     {
-- 
1.7.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2] ieee1275: prevent buffer over-read, Eric Snowberg <=
- Re: [PATCH v2] ieee1275: prevent buffer over-read, Andrei Borzenkov, 2016/02/22

Prev by Date: Re: [PATCH v3 2/3] i386: Add support for loading from android bootimg
Next by Date: [PATCH] sparc64: fix OF path names for sun4v systems
Previous by thread: multiboot_mmap_entry.zero isn't zero
Next by thread: Re: [PATCH v2] ieee1275: prevent buffer over-read
Index(es):
- Date
- Thread